sanitize-url icon indicating copy to clipboard operation
sanitize-url copied to clipboard
verified publisher icon braintree

Overly restrictive of `data:` URIs

Open ndrezn opened this issue 1 year ago • 2 comments

Hi folks, this package disallows data: URIs wholesale, which can be susceptible to the XSS exploit. However, there are cases where it's still a useful standard. Over in https://github.com/plotly/dash, we're using this project to sanitize URIs to protect against XSS, but some users have brought up that blanket prevention of data: can be overly restrictive (https://github.com/plotly/dash/issues/2764).

This may not be an issue with this package per se, but the question is whether it is a reasonable approach to blanket disallow data: or whether there is a more fine-grained sanitation scheme that might allow certain kinds of valid data: URLs; maybe this is something maintainers of this package have thought about. Thanks!

ndrezn avatar Mar 27 '24 19:03 ndrezn

For example, Mozilla has a broader definition of allowed data: URIs:

Whereas the following cases will be allowed:

  • User explicitly entering/pasting “data:…” into the address bar
  • Opening all plain text data files
  • Opening “data:image/*” in top-level window, unless it’s “data:image/svg+xml”
  • Opening “data:application/pdf” and “data:application/json”
  • Downloading a data: URL, e.g. ‘save-link-as’ of “data:…”

See: https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/

ndrezn avatar Mar 27 '24 20:03 ndrezn

Hello, We'll take a closer look at this issue.

Thanks for sharing. (internal tracking BTWEB-1172)

ibooker avatar Aug 06 '24 17:08 ibooker